Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

WEBINAR:On-Demand

If you ever read security vulnerabilities you eventually run into a notation looking like "CVE-2002-0947." This is a standard naming convention for vulnerabilities called Common Vulnerabilities and Exposures (CVE). CVE is administered by a company called Mitre, a non-profit company that operates governmental research facilities and other such cool things. In addition to hosting the CVE list, Mitre acts as the editor for aspects of list development. But the most important decisions are made by an editorial board with representatives of security and software firms.

CVE is an important part of modern security efforts but it could be more important. The main function of CVE is to provide security-related programs a common naming set for vulnerabilities on which they may operate. Security products, vulnerability scanners for example, usually provide mappings to CVE names. For example, Netcraft has a network vulnerability scanning service called Netcraft Network Examination which provides mappings to CVE names for the vulnerabilities it finds. The CVE site has a list of CVE-compatible products, including an entry for Netcraft.

What is an exposure as opposed to a vulnerability? A vulnerability is a bug which results in a security problem; an exposure is a potential security problem resulting from correct behavior. For example, many operating systems and applications will come with default root/admin passwords of "password" or just be blank. This is correct behavior, but its a potential source of trouble.

Further reading

I cant figure out for sure from the CVE site how a candidate becomes a candidate, and Mitre never got back to me. It looks like Mitre analysts make these decisions on their own, which is perhaps the best way to do it.

But the overly-formal structure of CVE keeps the data in the system old, limiting the usefulness. It seems to take a while before candidates are entered, and it can take months, seemingly ages, before they formally enter the list. Consider the MS SQL Server Slammer worm: the vulnerability behind it is still listed as a candidate, although 3 members of the editorial board have voted to accept it. This is a very old vulnerability.

In many ways the most recent vulnerabilities are the most important ones, so if a vulnerability list is not reasonably up to date its not useful. CVE is pretty out of date. As a result, CVE-compatible programs have to function without CVE names. In a sense this makes the CVE names a redundant capability, but where they exist they do add to the interoperability between security products of different vendors and the ability of administrators to digest reports.

Unfortunately, the mapping of vulnerabilities between different tools is not always very clean, even with CVE. Different tools address CVEs differently; for instance, a vendor patch might address part of a CVE or multiple CVEs. Testers might have to design one test for multiple CVEs or multiple tests for one.

Its interesting to compare this with the informal naming system that exists for viruses. Did you ever wonder how viruses get names like "W32.Sobig.C@mm?" Part of it is a standard system showing the platform and version, but the actual name part is created by researchers from various vendors who exchange information with each other on mailing lists as new outbreaks emerge. As with new elements and species, usually the first researcher to find a virus gets to name it, usually based on some string in or other characteristic of the virus. But if Marconi and Tesla can simultaneously invent radio, surely its possible for two researchers to discover the same virus in the wild. Some have suggested that the antivirus industry needs a committee like CVE to name viruses. I think the last thing we need is a way to slow down virus research.

Security Supersite Editor Larry Seltzer has worked in and written about the computer industry since 1983.

Advertiser Disclosure:
Some of the products that appear on this site are from companies from which QuinStreet receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. QuinStreet does not include all companies or all types of products available in the marketplace.